July TC39 meeting notes, day 1

David Bruant david.bruant at labri.fr
Sun Aug 14 06:55:27 PDT 2011


Le 08/08/2011 17:50, Andreas Rossberg a écrit :
> On 4 August 2011 19:34, Brendan Eich <brendan at mozilla.com> wrote:
>> On Jul 31, 2011, at 1:04 PM, Sean Eagan wrote:
>>
>>> A 'receiver' argument is not needed because it would never be
>>> different than the proxy, and the proxy can either be passed as an
>>> argument or stored either as an own property of the handler, or as a
>>> value keyed by the handler in a weak map, which there seems to have
>>> been TC39 concensus on.
>> Ok, right -- even without the extra proxy parameter in addition to receiver, dropping receiver makes sense. Sorry to go in a circle on this.
>>
>> It's a trap API change, and I agree with Mark that we need Tom to bless it.
> I would welcome removing the extra receiver (or proxy) arguments from
> get and set traps. However, it seems to me that the main reason,
> currently, for having them is that they are needed by the default
> traps, in case the respective descriptor returned by
> getOwnPropertyDescriptor has a getter/setter (which need a receiver).
>
> Arguably, making a proxy trap return getters/setters seems a somewhat
> pointless use case anyway. (...)
Sorry for the late answer. i read your message and disagreed, but in
lack of argument, i let it go. But i have now an argument which is
unrelated to proxies and state some difference between data and
accessors properties and the necessity of the latter for some use cases:

I think that if the "cookie" property of the document element (or the
relevant object in its prototype chain) could be removed, it could
prevent cookie theft. For this to happen, i'd need "cookie" to be
configurable.
One issue is that if i remove document.cookie, not only untruted scripts
cannot get/set cookies, but i can't either... unless cookies are a
getter/setter pair i can extract before removing the property.
This, done in trusted code allows me to remove access to untrusted code
while keeping the capability for myself and keeping the possibility to
hand the right to get/set the cookie string to scripts i trust.
This (selective access to getting/setting the cookie string) cannot be
done with proxies returning data descriptors.
So I think that making a proxy trap return a getter/setter is not pointless.

Code: https://gist.github.com/1144875
For the record, IE9 has a getter/setter pair for cookies (i don't
remember if it's configurable and can't test it now). Firefox and Chrome
have a data descriptor. Opera doesn't have Object.getOwnPropertyDescriptor.

That wasn't really my plan, but where is the right place to discuss
ECMAScript-related topic of the DOM (like property descriptor of DOM
properties)? public-script-coord?

David


More information about the es-discuss mailing list